When using SAML Claims through ADFS 2.0 it’s useful to have a way to validate which claims are being returned. We came across a web part that leverages a “TokenVisualizer” control and provides an easy solution to view the contents of the SAML token. This is based on a blog post by Liam Cleary so be sure to visit it for additional details.
This article is part of a larger series that specifically chronicles our efforts to implement SharePoint 2013 using ADFS and an identity provider. Below is a list of other articles in the series:
- SharePoint 2013 and ADFS 2.0 Installation Guide
- Lab Environment
- Install Windows Certificate Authority
- ADFS Prerequisites
- How to Install and Configure ADFS 2.0
- Configure User Profile Service for ADFS 2.0
- Configure Search to Crawl Web Applications Using Claims and ADFS 2.0
- Configure People Picker to resolve ADFS Identities
- Adding Host Name Site Collections to Existing Web Application Configured to use ADFS 2.0
- Validate Configuration with “Claims Viewer Web Part”
The following steps will outline how to deploy the solution which will automatically be activated at the farm level.
- Download the WSP file from http://blog.helloitsliam.com/Presentations/Helloitsliam.ClaimsViewerWebPart.wsp
- Copy the solution file to one of the servers in the SharePoint farm.
- Logon to the server where the WSP file is located
- Launch the “SharePoint 2013 Management Shell”
- Navigate to the location of the WSP file (D:\Software\CodePlex\ClaimsViewer\ in this example)
- Execute the following command
- Verify solution was deployed by entering the “Get-SPSolution” cmdlet. The “Deployed” column should read “True” once the “helloitsliam.claims.viewerwebpart.wspt” is deployed.
Each site in the “Portal” web application will have a Site Collection Feature called “ClaimsViewerWebPartFeature1” that will need to be activated before the web part will be available.
- Navigate to a site that you want to place the claims viewer web part on with an account that is a “Site Collection Administrator”. In this example I’ll use the https://portal.2008r2.local .
- Click on the gear icon in the upper right hand corner and select the “Site Settings” option
- Navigate to the “Site Collection Administration” section and click on the “Site collection features” link
- Click the “Activate” button next to the “ClaimsViewerWebPartFeature1” entry
Add Web Part to Page
Now that the feature is activated it can be added to a page in the site. This can be on any page, and for the purpose of this article will place the web part on the main landing page.
- Click the “Page” tab on the ribbon bar
- Click the “Edit” button on the ribbon bar
- Click the “Insert” tab on the ribbon bar
- Click the “WebPart” button on the ribbon bar
- In the “Categories” section click on the “Custom” folder
- In the “Parts” section select the “ClaimsViewerWebPart – ClaimsVisualizer” entry and then click the “Add” button
- The web part is now added to the page. Click “Save” in the ribbon bar to commit the change.
Test Claims Viewer Web Part
The web part should now be displayed on the https://portal.2008r2.local site in the collapsed form. Click the + icon to expand the web part and view the contents of the SAML token for the logged on user:
The display will be divided into two sections, “Issued Identity” and “SAML Token”. In the “Issued Identity” section the “namedidentifier” should display the logged on users email address. There will also be several “Role” entries listed that the logged on user is a member of. The “emailaddress” and “role” claim entries are the values that can be used to assign permissions to objects on the site for that user.